Sophos Warns of Twitter Malware Campaign

Sophos researchers are warning of a Twitter spam campaign in which thousands of tweets reading "It's you on photo?" or "It's about you?" include links to infected sites.

"If you see tweets like this, please do not click on them," writes Sophos' Graham Cluley. "There isn't a photo of you waiting at the end of the link -- and the accounts that are spreading the messages have either been compromised by hackers or have been created by hackers with the purpose of spreading dangerous links like this. Sophos detects the malware at the end of the link as Troj/JSRedir-HY, a Dean Edwards multiply-packed (see Fraser Howard's technical paper 'Malware with your Mocha' for an explanation of this obfuscating packer) JavaScript. The script redirects to an IP address that itself redirects to a .CU.CC domain, to load executable code (Sophos is adding detection of this as Troj/Agent-XES) and you ultimately end up on a .SU domain that contains the Blackhole exploit kit."

"Cluley warned that if Twitter users have not properly protected their PCs, they will be putting their computers and personal data at risk by clicking on the malicious links," writes Computer Weekly's Warwick Ashford. "Businesses and consumers can help reduce the vulnerability of computers to the Blackhole exploit kit by making sure all browsers and browser plug-ins are up to date. The Blackhole exploit kit typically targets vulnerabilities in older versions of browsers and plug-ins such as Adobe Flash, Adobe Reader, Firefox, Google Chrome, Internet Explorer and Safari."

"Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack," writes ZDNet's Emil Protalinski. "This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru)."